File name:	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
Full analysis:	https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 20:39:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader lumma themida auto stealc netreactor rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	0A7F88A22AE393BE6AAF81E99911559E
SHA1:	618BD53DCB394611C6EE90199ABE534D40DD6958
SHA256:	41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
SSDEEP:	98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0x32b000
UninitializedDataSize:	-
InitializedDataSize:	104960
CodeSize:	321024
LinkerVersion:	14.24
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2024:07:25 12:10:38+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer		—
		MD5:—	SHA256:—
1328	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp		—
		MD5:—	SHA256:—
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer		—
		MD5:—	SHA256:—
5864	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	C:\Windows\Tasks\axplong.job		binary
		MD5:D446F281DFEBA704B5320A0013F90407	SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F5.tmp.dmp		binary
		MD5:10DD4789E29A610D920E179A6065F235	SHA256:9E9E1566D184B80B11AAE2B7665637277B3E1F871C8D46CCED0CAAA79F36F818
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA1F.tmp.WERInternalMetadata.xml		xml
		MD5:36BCF3516079CB45F21B95DD9A2CA12D	SHA256:292E3D4BC617BFFE1B10F5C93C3FF37D62513377FD8C83101FB4D10DEFD543C4
5268	am209.exe	C:\Windows\Tasks\defnur.job		binary
		MD5:90BB6E0DD851EA0D50E416EF6D42E49C	SHA256:BE277E49A8A5307E2B5A7DD1EAFF0FCA01290A11DA223DCE17F499CB6F8874C9
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA4F.tmp.xml		xml
		MD5:42A98A39F238CBFBF8A74E30EB2A2689	SHA256:2E3D1EE950A29A6335D59264D27032EA124CAA576B855734B8FC80977EDE6299
5864	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe		executable
		MD5:0A7F88A22AE393BE6AAF81E99911559E	SHA256:41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
5096	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\696969[1].exe		executable
		MD5:89AD45B4A0E2D547C1E09D0A1EA94DF6	SHA256:18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3296	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3296	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/inc/legs.exe	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/test/am209.exe	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3296	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3296	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3296	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5096	axplong.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
pancakedipyps.click	—	malicious
nearycrepso.shop	—	malicious
abruptyopsn.shop	—	malicious
wholersorie.shop	—	malicious
framekgirus.shop	—	malicious
tirepublicerj.shop	—	malicious

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Process	Message
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe

0A7F88A22AE393BE6AAF81E99911559E

618BD53DCB394611C6EE90199ABE534D40DD6958

41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE

98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY mutex has been found

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been found (auto)

LUMMA has been detected (SURICATA)

AMADEY has been detected (YARA)

STEALER has been found (auto)

StealC has been detected

Steals credentials from Web Browsers

STEALC has been detected (YARA)

Actions looks like stealing of personal data

LUMMA mutex has been found

LUMMA has been detected (YARA)

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Starts itself from another location

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

Process requests binary or script from the Internet

Application launched itself

Connects to the server without a host name

Executes application which crashes

Windows Defender mutex has been found

There is functionality for enable RDP (YARA)

The process executes via Task Scheduler

Searches for installed software

INFO

Sends debugging messages

Create files in a temporary directory

Checks proxy server information

Checks supported languages

Reads the computer name

Process checks computer location settings

The process uses the downloaded file

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

Themida protector has been detected

.NET Reactor protector has been detected

Reads product name

Reads Environment values

Reads CPU info

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Amadey

Information

Modules

Information

Modules

Information

Modules

Information